The Art of Deception: Controlling the Human Element of Security

Most employee's don't think they are allowed to say 'no' to giving out information over the phone or email in the name of great customer service. There may be company policies but they 'still try to do the right thing' to help a co-worker regain access to the system, when in fact the person is a hacker.

Many solutions are offered to help small and large companies balance the choice of customer service over security and trust. One funny chapter was how Mr. Mitnick's used the same social engineering methods in prison to get additional phone calls, better food, and increase family visits. Classic... He didn't stop even in prison.

I recommend this book.

Rating:
Summary: Interesting & timely about the dangers of social engineering
Review: Kevin Mitnick says "the term 'social engineering' is widely used within the computer security community to describe the techniques hackers use to deceive a trusted computer user within a company into revealing sensitive information, or trick an unsuspecting mark into performing actions that create a security hole for them to slip through." It's suitable that Mitnick, once vilified for his cracking exploits, has written a book about the human element of social engineering - that most subtle of information security threats.

Some readers may find a book on computer security penned by a convicted computer criminal blasphemous. Rather than focusing on the writer's past, it is clear that Mitnick wishes the book to be viewed as an attempt at redemption.

The Art of Deception: Controlling the Human Element of Security states that even if an organization has the best information systems security policies and procedures; most tightly controlled firewall, encrypted traffic, DMZ's, hardened operating systems patched servers and more; all of these security controls can be obviated via social engineering.

Social engineering is a method of gaining someone's trust by lying to them and then abusing that trust for malicious purposes - primarily gaining access to systems. Every user in an organization, be it a receptionist or a systems administrator, needs to know that when someone requesting information has some knowledge about company procedures or uses the corporate vernacular, that alone should not be authorization to provide controlled information.

The Art of Deception: Controlling the Human Element of Security spends most of its time discussing many different social engineering scenarios. At the end of each chapter, the book analyzes what went wrong and how the attack could have been prevented.

The book is quite absorbing and makes for fascinating reading. With chapter titles such as The Direct Attack; Just Asking for it; the Reverse Sting; and Using Sympathy, Guilt and Intimidation, readers will find the narratives interesting, and often they relate to daily life at work.

Fourteen of the 16 chapters give examples of social engineering covering many different corporate sectors, including financial, manufacturing, medical, and legal. Mitnick notes that while companies are busy rolling out firewalls and other security paraphernalia, there are often unaware of the threats of social engineering. The menace of social engineering is that it does not take any deep technical skills - no protocol decoders, no kernel recompiling, no port scans - just some smooth talk and a little confidence.

Most of the stories in the book detail elementary social engineering escapades, but chapter 14 details one particularly nasty story where a social engineer showed up on-site at a robotics company. With some glib talk, combined with some drinks at a fancy restaurant, he ultimately was able to get all of the design specifications for a leading-edge product.

In order for an organization to develop a successful training program against the threats of social engineering, they must understand why people are vulnerable to attack in the first place. Chapter 15 explains of how attackers take advantage of human nature. Only by identifying and understanding these tendencies (namely, Authority, Liking, Reciprocation, Consistency, Social Validation, and Scarcity), can companies ensure employees understand why social engineers can manipulate us all.

After more than 200 pages of horror stories, Part 4 (Chapters 15 and 16) details the need for information security awareness and training. But even with 100 pages of security policies and procedures (much of it based on ideas from Charles Cresson Wood's seminal book Information Security Policies Made Easy) the truth is that nothing in Mitnick's security advice is revolutionary - it's information security 101. Namely, educate end-users to the risks and threats of non-technical attacks.

While there are many books on nearly every aspect of information security, The Art of Deception is one of the first (Bruce Schneier's Secrets and Lies being another) to deal with the human aspect of security; a topic that has long been neglected. For too long, corporate America has been fixated with cryptographic key lengths, and not focused enough on the human element of security.

From a management perspective, The Art of Deception: Controlling the Human Element of Security should be on the list of required reading. Mitnick has done an effective job of showing exactly what the greatest threat of attack is - people and their human nature.

Rating:
Summary: Puts the Others to Shame
Review: There are plenty of other so-called 'hackers' who are 'coming out' to help the world and writing books about it, and I have read most if not all them.

When I ordered 24 copies from Wiley & Sons [the publisher] for resale at my eBookstore, I thought it would be just another hacker book that would sell well, but would leave it's reader not knowing a whole lot more about the subject of information security (InfoSec) than they did before they picked up the book and parted with their funds. I was wrong.

Mitnick's book is full of useful information that can [and should] be put to use in any organization. The advice provided is not only practical but detailed and logical. The stupidity or carelessness of one user on the corporate LAN can render millions of dollars in gee-wiz security gadgets useless, allowing hackers into sensitive severs housing customer contact lists, proprietary trade secrets and internal memorandums containing confidential and personal information.

For those of you who don't know, Mitnick breached the security of the largest corporations in America, including Motorola. After one of the most exhaustive manhunts in FBI history, and Mitnick's subsequent release from federal prison, he has been the most sought-after security consultant in the world.

Mitnick, who is probably the world's foremost expert in trickery to gain access to sensitive information (known as 'social engineering'), reveals exactly how vulnerable you and your companies' personal information is to someone posing as an IRS Agent or as a AT&T Customer Service Representative. You could say that Mitnick either had god's unlisted telephone number, or he could trick someone into giving it to him.

Full of information that any company can use to implement effective security practices and make sure they are followed, The Art of Deception is a book that every corporate security manager, investigator and hacker alike should have on his or her desk.

Rating:
Summary: There are lessons here ...
Review: While it's a temptation to impose value judgement about the author who is a convicted felon, I strongly urge anyone who is involved in security (IT and corporate), internal auditors and fraud prevention specialists to suspend any opinions of the author and to carefully read this book.

What we in the IT world call 'social engineering' is nothing more than a con that exploits human trust. Mitnick was highly effective at social engineering and this book provides a wealth of information regarding his views of 'social engineering' vulnerabilities and how he exploited them. He exposes the details of some of the most effective techniques used by those who use social engineering to accomplish their goals - whether those goals are as sinister as corporate espionage or fraud, or merely to prove that they can gain access to systems and information. While some of the recommended countermeasures in this book may seem Draconian there is middle ground to implement effective controls that do not hamper business processes or impose overly restrictive policies.

The bottom line, though, is to learn from this book and distill the key lessons into knowledge throughout your organization. Awareness is one of the most powerful security tools, and this book promotes that. Also, while this book is ostensibly about IT security, the lessons imparted are as applicable to any other aspect of a business as they are to IT - in many ways there are even more applicable because the exploits are based on effective con games that were in existence long before computers came on the scene.

Rating:
Summary: Amazing! This book will make you think
Review: I went into this book thinking I knew a fair amount about security in general. You know, don't leave your network password on a post-it on your bulletin board, be aware of strangers in your office, that kind of thing. Then, I finished reading the book, and realized that it challenged all the assumptions that I had about the way I react in these situations. Mitnick's right - we as human beings are conditioned to be polite and trusting, and as horrible as it seems, that's not always right. But you don't have to become nasty and distrustful, just aware. That's what this book is talking about. The examples are wonderful - they really do read like a mystery thriller. And the advice is really sound. It doesn't mention it here, but there is a great flowchart in the back of the book that I've copied for everyone in my office. It details what to do if someone calls you for information that you are not sure they need or should be getting. All in all, The Art of Deception is a must read for many of us.

Rating:
Summary: Kevin Mitnick Book
Review: I'm sorry, but a book by an ex-hacker who got caught in 1981 isn't my idea of hacking educational material. Those who know Mitnick's background know exactly why he is being pushed upon us as a 'reformed' expert hacker. A 'hacker' who last practiced his criminal behavior in 1981 knows less about today's technology than an AOL user does.

Rating:
Summary: A good eye-opener for business people
Review: I'm a business person turned technical and have mixed opinions about this book. I would recommend it to people who have no awareness of how social engineering can compromise computer security above any physical security countermeasures.

It is repetitive in its warnings and examples, but one's reaction to that repetitiveness (boredom, apathy) only serves to illustrate how one can easily become a target of deception. One must analyze all social interactions within any high-security context to decrease security risk. This book emphasizes that a situation can actually be high-security without the average business person knowing it.

Rating:
Summary: Very boring. Not worth the time it takes to read
Review: I bought this book based on the positive reviews here at Amazon. I was very disappointed. The book is nothing but a collection of anecdotes most of which are very much the same. Over and over the same little story is told with very little value. I read half this book then just couldn't do it anymore. It was horrible. To top it off Mitnick admits that these stories are fiction. A collection fictitious stories on how someone might dupe someone else to get their password. This Mitnick guy is just using his name to sell books. The content obviously doesn't matter to him. The first few little stories are amusing and then disappointment sets in as the rest of the book is basically the same little stories over and over with a name change here and there. Complete filler. For those of you that think this is a computer book - it is not. Nothing about computers here. Its all about social engineering aka "con games". The writing seems to be targeted towards teenagers. That or Mitnick is very immature.

Rating:
Summary: Well-written and important.
Review: NOTICE: If you work in computer security in any capacity, you MUST read this book. You will learn tricks used by the most successful "social engineers" in the world, and you will learn what you can do to prevent these issues from ever happening to you and whoever you work for.

Now that we're done with that, my first reccomendation if you plan to purchase this book is that you search the internet a bit more and dig up the "unreleased" first chapter to this book (freely available if you can find it)- in which Mitnick planned to release what is essentially his autobiography. You'll gain a new appreciation for exactly how hysterical people became trying to take this man down, and more importantly, you'll learn exactly what all the fuss is about.

As for the actual book, Mitnick on computer security is akin to reading a book on how to play basketball from Michael Jordan, or how to direct a film by Steven Spielberg, or on how to make money by Bill Gates. There is simply no better source. Mitnick's writing is generally non-technical so that it can be understood by anyone, and personal enough that it's always involving. Remember- the skill that this man is famous for is the art of telling a convincing story, and he was so good at his skill that he became the most wanted criminal in the world for it. What else is there to say?

Rating:
Summary: Excellent Book you may know some details about security...
Review: I found the book really amazing, it helped me to improve a lot of things in my life and the compay, it provide important examples about security, and it shows you how 'social engineering' can cause damages not only to a company also to your self. And also the importance that we need to give to our knowledge.